IETF Logo Mail Archive

Re: [Doh] [Ext] draft-ietf-doh-resolver-associated-doh-02 comments

Paul Hoffman <paul.hoffman@icann.org> Wed, 20 March 2019 01:03 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C05D130E68 for <doh@ietfa.amsl.com>; Tue, 19 Mar 2019 18:03:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gF83uMw0VVUn for <doh@ietfa.amsl.com>; Tue, 19 Mar 2019 18:03:20 -0700 (PDT)
Received: from out.west.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E5B0128DFF for <doh@ietf.org>; Tue, 19 Mar 2019 18:03:20 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 19 Mar 2019 18:03:18 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1367.000; Tue, 19 Mar 2019 18:03:18 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
CC: "doh@ietf.org" <doh@ietf.org>
Thread-Topic: [Ext] [Doh] draft-ietf-doh-resolver-associated-doh-02 comments
Thread-Index: AQHU3pXQS3mzifcedk+qXWIs0U3KpKYUKZSA
Date: Wed, 20 Mar 2019 01:03:18 +0000
Message-ID: <E83A0D72-01E0-4C35-9100-C745908A4340@icann.org>
References: <6980a503-bbe2-ffa1-351e-0d2005221bf2@cs.tcd.ie>
In-Reply-To: <6980a503-bbe2-ffa1-351e-0d2005221bf2@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <5F90B0CC3E621546AB2AA2B49C546005@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/dw1cuHMrFzKI3Ff8nUAJ98qj9Io>
Subject: Re: [Doh] [Ext] draft-ietf-doh-resolver-associated-doh-02 comments
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2019 01:03:22 -0000

On Mar 19, 2019, at 1:53 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> - Section 2: what about OCSP? are we assuming that the OCSP
> responder is resolved by the precursor system resolver or
> the DoH resolver or both? I don't think it makes a security
> difference (OCSP works or doesn't as usual), but it may be
> a gotcha in terms of establishing the TLS session. Or, are
> we assuming there's no point in OCSP for an IP-address
> cert? (I forget;-)

This is an interesting question. It assumes that the application has no DNS resolver when the HTTPS query is sent, and that getting the associated DoH server is a prerequisite to sending DNS (in this case, to locate the OCSP server).

That was certainly not the intention, given that the application can send DNS queries for the other protocols described. I'll add a note to that effect in the next draft.

> - Section 2: "the normal rules for HTTP" - does that mean
> all re-directs MUST be HTTPS too? And can those URLs use
> DNS names or must they be IP address certs too?

The term "normal HTTP" was used in the DoH spec (RFC 8484), and here "normal rules for HTTP" were assumed to be the same.

> - Sections 3 & 4: the use of special-use domain names here
> seems ickky to me. ("ickky" being a technical terms for "I
> don't like that but can't justify my opinion" :-) I think
> it'd be a pity to see more crap DNS queries emitted from
> browsers though and would love to see something better.

Better suggestions are still heartily welcomed. These are the result of many comments on earlier drafts, but you are not alone in disliking the use of special-use domain names.

> I
> also wonder what'd happen with these queries in a home n/w
> with a never-updated router or with a brand-new flashy
> home router that e.g. has a public DNS name.

Nothing special. If a resolver doesn't understand the SUDN, it will pass it upstream and get an NXDOMAIN answer back.

> (In that
> latter case, I can easily get a cert for the name of my
> home router, but not for it's IP address.)

Certificates are not useful for the protocols in these sections.

> - Section 7, para 1: that's way too one-sided. DoH could
> be less privacy-friendly (than say DoT) due to cookies and
> whatnot.

The sentence explicitly says "communication privacy", not overall privacy, for the very reason you give. I guess that wasn't clear enough. I'll add "However, using a DoH server can also reduce overall privacy because both TLS and HTTPS allow for user identification in ways that plain Do53 does not."

> - Section 8: Why diss. DoT? It's not a competition:-)

For many people, it is. That is, people constantly ask why should DoH even exist if DoT already exists. This helps explain that.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email